Serverless Node.js JWT validation

  • Which SDK this is regarding: e.g. auth0-react
  • SDK Version: 1.4.0
  • Platform Version: Node 15

Hey! I am looking for some advice regarding auth0-react server-side usage. I have a simple nextjs application that interacts with an API provided by node.js AWS Lambda functions. Generally, I’ve seen the getAccessTokenSilently as an effective way to call an API. However, what’s not quite clear to me is a clear way to validate the JWT token received server-side.

I think what I’m basically looking for is auth0-react’s equivalent to nextjs-auth0’s WithApiAuthRequired. In other words, it’d be really nice to wrap an API route with a JWT validator. Unfortunately, I don’t believe I can use nextjs-auth0 because I also want to support non-browser (CLI) requests, and from my understanding, nextjs-auth0 is entirely session-based.

Another approach would be like how next-auth.js offers jwt.getToken, which verifies and decrypts the JWT token received as a bearer token. I’m not sure if it’s possible to reuse this, perhaps? My initial attempt failed, but I suspect that may have been caused by this opaqueness.

I’ve also seen other approaches like using the express-jwt library. However, from my understanding, this would not work in a serverless context.

Is there a common approach for this out there? How are others solving this usecase?


Hi @benmarsden,

Welcome to the Community!

If you are simply looking to verify a token signature in node you could use the node-jsonwebtoken library.

AWS also has built in JWT authorizers which make it very easy to attach to an API. We have a blog post that runs through the whole setup with Auth0. Securing AWS HTTP APIs with JWT Authorizers.

Let me know if you have any questions.

1 Like

Hi Dan,

I’m pretty sure wrapping the functionality from node-jsonwebtoken into a nextjs API route middleware will do the job perfectly. Appreciate the quick help on this!


1 Like

Let us know if you have any questions along the way.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.